Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Virtual Network Integration

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Cosmos DB account can be accessed only from an Azure virtual network (VNet) in order to minimize exposure to public networks, reducing the risk of unauthorized access and potential security breaches.

Security
Operational
excellence

Virtual network (VNet) integration for Microsoft Azure Cosmos DB accounts provides improved security and isolation through the implementation of subnets, access control policies, and various other features designed to further restrict access. When an Azure Cosmos DB account is integrated within a virtual network (VNet), it is not publicly accessible. Instead, the network access to the DB account is limited to cloud resources and applications operating within the confines of the virtual network.

Audit

To determine if your Azure Cosmos DB account is secured with an Azure virtual network (VNet), perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Azure Cosmos DB account, and choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected DB account.

07 Select the Public access tab and check the Public network access setting to determine the level of network access configured for the selected resource. If Public network access is not set to Selected networks, your Azure Cosmos DB account is not secured with a virtual network (VNet) and the Audit process ends here. If Public network access is set to Selected networks, check the list of virtual networks associated with the selected DB account, available in the Virtual networks section. If there are no virtual networks listed in the Virtual networks section, the access to the selected Azure Cosmos DB account is not secured with a virtual network (VNet). As a result, the VNet integration is not enabled for your Cosmos DB account.

08 Repeat steps no. 5 - 7 for each Azure Cosmos DB account deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Cosmos DB account available in the selected subscription: 

az cosmosdb list
	--query '[*].id'

05 The command output should return the requested Azure Cosmos DB account IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-prod-dba-account"
]

06 Run cosmosdb show command (Windows/macOS/Linux) with the ID of the Azure Cosmos DB account that you want to examine as the identifier parameter and custom output filters to determine if the selected Cosmos DB account is associated with a virtual network (VNet): 

az cosmosdb show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--query '{"subnetId":virtualNetworkRules[].id}'

07 The command output should return the ID(s) of the associated VNet subnet(s): 

{
	"subnetId": []
}

If the cosmosdb show command output returns an empty array (i.e., []) for the "subnetId" attribute, as shown in the example above, the selected Azure Cosmos DB account was not deployed to an Azure virtual network (VNet). Consequently, the VNet integration is not enabled for your Azure Cosmos DB account.

08 Repeat steps no. 6 and 7 for each Azure Cosmos DB account available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure Cosmos DB account can be accessed only from an Azure virtual network (VNet), perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Azure Cosmos DB account, and choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected DB account.

07 Select the Public access tab and perform the following action to enable and configure virtual network integration:

  1. Ensure that Public network access is set to Selected networks.
  2. For Virtual networks, choose Add existing virtual network and provide the following information:
    1. Ensure that the correct Azure subscription is selected for Subscription.
    2. For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your Azure Cosmos DB account.
    3. For Subnet, select the VNet subnet that you want to provide access to your Azure Cosmos DB account.
    4. Ensure that Do not configure 'Microsoft.AzureCosmosDB' service endpoint(s) at this time checkbox is unchecked.
    5. Choose Enable to enable virtual network (VNet) integration.
  3. (Optional) To create a new Azure virtual network (VNet) and associate it with your Cosmos DB account, choose + Add new virtual network from Virtual network and follow the setup wizard to create a new VNet.

08 Repeat steps no. 5 - 7 for each Azure Cosmos DB account that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to access as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb update command (Windows/macOS/Linux) to enable virtual network (VNet) integration for the selected Azure Cosmos DB account: 

az cosmosdb update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--enable-virtual-network true

05 The command output should return the information available for the modified Azure Cosmos DB account: 

{
	"analyticalStorageConfiguration": {
		"schemaType": "WellDefined"
	},
	"backupPolicy": {
		"migrationState": null,
		"periodicModeProperties": {
			"backupIntervalInMinutes": 240,
			"backupRetentionIntervalInHours": 8,
			"backupStorageRedundancy": "Local"
		}
	},

	...

	"capabilities": [],
	"capacity": {
		"totalThroughputLimit": 1000
	},
	"connectorOffer": null,
	"consistencyPolicy": {
		"defaultConsistencyLevel": "Session",
		"maxIntervalInSeconds": 5,
		"maxStalenessPrefix": 100
	}
}

06 Run cosmosdb network-rule add command (Windows/macOS/Linux) to create and attach a virtual network (VNet) rule to your Azure Cosmos DB account. The rule contains the virtual network and subnet that you want to use for VNet integration with your DB account: 

az cosmosdb network-rule add
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--name "cc-project5-vnet-rule"
	--virtual-network "cc-project5-vnet"
	--subnet "cc-vnet-subnet-001"

07 The command output should return the information for the modified Cosmos DB account: 

{
	"analyticalStorageConfiguration": {
		"schemaType": "WellDefined"
	},
	"apiProperties": null,
	"backupPolicy": {
		"migrationState": null,
		"periodicModeProperties": {
			"backupIntervalInMinutes": 240,
			"backupRetentionIntervalInHours": 8,
			"backupStorageRedundancy": "Local"
		}
	},

	...

	"type": "Microsoft.DocumentDB/databaseAccounts",
	"virtualNetworkRules": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001",
			"ignoreMissingVnetServiceEndpoint": false,
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	]
}

08 Repeat steps no. 4 - 7 for each Azure Cosmos DB account that you want to configure, available within the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date May 28, 2025

Related CosmosDB rules